RPM-RS
A pure rust library for working with RPM files.
This is not, nor is it intended to be, a full replacement for the original rpm library / tools.
Goals
- Easy to use API
- Independence from Spec files. Purely programmatic interface for Packaging.
- Pure rust to make it easy to use in larger projects, independent from libraries provided by the host OS
- Compatibility from Enterprise Linux 8 (RHEL, Alma, Rocky, CentOS Stream) to Fedora
Non Goals
RPM has a lot of features. I do not want to re-implement all of them.
- This library is for working with RPM packages on their own - installing RPMs and manipulating the system rpmdb is not supported
- This library does not build software like rpmbuild - it is meant for finished artifacts that need to be packaged as RPM
- Obsolete cryptography (md5, DSA) not supported
- Legacy RPMv3 signatures not supported (e.g.
SIGPGP,SIGGPG)
Status
- RPM Creation
- RPM Signing and Signature Verification
- RPM signing using an external signing service or Hardware Signing Module (HSM)
- High-level APIs for parsing RPM files, reading RPM metadata, and extracting payloads
Examples
Read package and access metadata
Check basic metadata
let pkg = open?;
let name = pkg.metadata.get_name?;
let version = pkg.metadata.get_version?;
let release = pkg.metadata.get_release?;
let arch = pkg.metadata.get_arch?;
println!;
for changelog in pkg.metadata.get_changelog_entries?
Query dependencies
let pkg = open?;
for dep in pkg.metadata.get_requires?
// Other dependency types: get_provides(), get_conflicts(), get_obsoletes(),
// get_recommends(), get_suggests(), get_enhances(), get_supplements()
Inspect package signatures
use SignatureVersion;
let pkg = open?;
for sig in pkg.signatures?
List and read file contents
let pkg = open?;
// List file metadata without reading the payload
for entry in pkg.metadata.get_file_entries?
// Iterate over file contents (decompresses the payload)
for entry in pkg.files?
Extract package contents to disk
Extract all files, directories, and symlinks from the package payload into a target directory - files are written relative to the target directory (not installed to their absolute paths).
// The directory must not already exist and its parent must exist.
let pkg = open?;
pkg.extract?;
// Creates ./extracted-pkg/ with the package's file tree inside it
Verify signatures
Verify using a keyring with multiple certificates
use Verifier;
// Keyring files containing multiple OpenPGP certificates are supported.
// The verifier will try each certificate until it finds one that matches.
let verifier = from_asc_file?;
let pkg = open?;
pkg.verify_signature?;
// You can also narrow down to a specific certificate by fingerprint:
let verifier = from_asc_file?
.with_key?;
Check individual signatures and digests
use Verifier;
let pkg = open?;
let verifier = from_asc_file?;
let report = pkg.check_signatures?;
// Check overall pass/fail
assert!;
// Or inspect individual digest results
if report.digests.sha256_header.is_verified
match &report.digests.sha3_256_header
// Inspect each signature with its metadata and whether it was verified (only one signature must verify to "pass")
for sig in &report.signatures
Sign packages
Sign an existing package and verify package signature
use ;
let signer = from_asc_file?;
let verifier = from_asc_file?;
let mut pkg = open?;
pkg.sign?;
pkg.write_to?;
let pkg = open?;
pkg.verify_signature?;
Sign with a specific subkey
use Signer;
let subkey_fingerprint = decode?;
let signer = from_asc_file?
.with_signing_key?;
let mut pkg = open?;
pkg.sign?;
Remote / HSM signing
There are two approaches for signing with keys that are not directly accessible as local key files (e.g. HSMs, remote signing services, or cloud KMS):
Option 1: Implement the Signing trait. If the signing call can be
made synchronously (even over a network round-trip), implement the trait
and pass it to the standard Package::sign or Package::resign_in_place
methods. BasicKeySigner bridges any pgp::SigningKey to the rpm-rs
Signing trait, and the pgp::adapter module provides ready-made
SigningKey implementations (RsaSigner, EcdsaSigner) that wrap any
Rust Crypto signature::Signer — making it straightforward to plug in
key backends such as PKCS#11 tokens or cloud KMS clients. See
examples/hsm-signing.rs for a complete example.
Option 2: Split extract / sign / apply. If signing is fully asynchronous or out-of-band (different process, different machine, a queue or webhook), extract the header bytes, send them to the signer, and apply the returned signature separately:
use Signer;
use Signing;
// Step 1: Extract the header bytes to be signed.
// Only reads the metadata, not the payload.
let metadata = open?;
let header_bytes = metadata.header_bytes?;
// Step 2: Sign the header bytes (this would normally happen on a remote system).
let signer = from_asc_file?;
let signature = signer.sign?;
// Step 3: Apply the signature.
// For in-memory packages:
let mut pkg = open?;
pkg.apply_signature?;
// Or apply directly to an on-disk package without loading the payload:
apply_signature_in_place?;
In-place signing and clearing of signatures
For large packages, it is often desirable to sign or clear signatures without reading or rewriting the payload. These methods modify only the signature header on disk, using the reserved space to keep the file size unchanged:
use ;
// Re-sign a package on disk (reads only the metadata, not the payload)
let signer = from_asc_file?;
resign_in_place?;
// Remove all signatures, converting their space to reserved space
// so that signatures can be added back later
clear_signatures_in_place?;
// Re-sign the cleared package — the reserved space from clearing is reused
resign_in_place?;
Build a new package
use Signer;
// For reproducible builds, set source_date to the timestamp of the last commit in your VCS
let build_config = default
.compression
.source_date;
let signer = from_asc_file?;
let pkg = new
.using_config
// set default ownership and permissions for files and directories, similar to %defattr
// in an RPM spec file. Pass None for any field to leave it unchanged (like `-` in %defattr).
.default_file_attrs
.default_dir_attrs
// add a file with no special options
// by default, files will be owned by the "root" user and group, and inherit their permissions
// from the on-disk file.
.with_file?
// you can set permissions, capabilities and other metadata (user, group, etc.) manually
.with_file?
// Add a file - setting flags on it equivalent to `%config(noreplace)`
.with_file?
// symlinks don't require a source file
.with_symlink?
// directories can be created with explicit ownership and permissions
// this does not add any directory contents, just declares a directory
.with_dir_entry?
// ghost files / directories are not included in the package payload, but their metadata
// (ownership, permissions, etc.) is tracked by RPM. This is commonly used for files
// created at runtime (e.g. log files, PID files).
.with_ghost?
.pre_install_script
// Alternatively, use scriptlet builder api to specify flags and interpreter/arguments
.post_trans_script
.build_host
.add_changelog_entry
.add_changelog_entry
.requires
.vendor
.url
.vcs
.build_and_sign?;
// Write to a specific file
pkg.write_to?;
// Or write to a directory with auto-generated filename (`target/awesome-0.1.0-1.x86_64.rpm`)
pkg.write_to?;